Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are operating as expected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.
The Control Matrix (definition):
A tool designed to assist you in evaluating the potential effectiveness of controls in a particular business process by matching control goals with relevant control plans. It establishes the criteria to be used in evaluating the controls in a particular business process. The tool is also used to explain and analyze controls that have been annotated in a systems flowchart. SOX 404 requires that the effectiveness of control design be assessed. Auditors typically use a control matrix to do this.
Four Elements of a Control Matrix
control goals (for Operations Process and Information Process)
recommended control plans
cell entries
explanation of cell entries (how do the documented controls help achieve effectiveness, efficiency, security, validity, completeness and accuracy.
Steps in Preparing the Control Matrix:
Step1:Specify Control Goal:
The three goals that controls are intended to achieve are effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. When completing a control matrix, the first two goals are specifically stated at the top of the matrix, and the third goal, compliance with applicable laws and regulations, is addressed within these two. For example, in the billing process, the goal of complying with the Robinson-Patman Act is addressed under the heading 'ensure effectiveness of operations.'
Identify operations process control goals:
Effectiveness goals: describe measures of success for the operations process. These are developed during an enterprise's risk-management process. There may be more than one goal. (Has the organization been successful in achieving the goals defined in their operations process?)
Efficiency goals: ensuring that resources used in the business process are being employed (by people and computers) in the most productive manner. (Has the organization spent a minimal amount of time and money accomplishing objectives without sacrificing the overall quality?)
Security goals: protecting entity resources (such as cash and information) from loss, destruction, disclosure, copying, sale, or other misuse. These are meant to manage risks identified in the enterprise risk-management process. (How effectively has the organization managed risks in order to ensure the protection of resources?); Relates to securing the resources that are "at-risk" in the process.
Identify information process goals:
*
** Input goals (validity, completeness, and accuracy) with respect to all business process data entering the system.
Input completeness: capturing all data
Input validity: legitimacy of data
Input accuracy: capturing data correctly
Input goals question: Where is our information coming from?
Update goals (completeness and accuracy), only apply when there is a periodic process - a delay between input and update.
Update completeness: incorporate all new data into existing master data
Update accuracy: data reflected correctly in master data
Update goals question: What are we updating?
Step2: Identifying Recommend Control Plans:
Identify "Present" Control Plans (by examining the flowchart for process related symbols which represent controls already in place): What kind and how many controls should be in place to accomplish the organization's goals while minimizing residual risks? Identify controls that appear to accomplish one or more of the control goals. Controls fall into two categories
generic controls
controls that relate to a specific business process
Evaluating "Present" Control Plans: Starting with P-1, look across the row and determine which control goals the plan addresses, and then place a P-1 in each cell of the matrix for which P-1 is applicable. It is possible that a given control plan can attend to more than one control goal. Continue this procedure for each of the present control plans. Describe how the control plan addresses each noted control goal.
Identifying and Evaluating "Missing Control Plans: Determine whether additional controls are needed to address missing control goal areas, strengthen present control plans, or both.
Examining the controls matrix: The first place to start is to look at the control matrix and see if there are any control goals (operations or information) that no present control plan is addressing. Even if a control goal has one or more controls, we still might have to add controls or strengthen present controls to reach our level of reasonable assurance.
Evaluating the systems flowchart: Just because all of the control goals on the matrix have one or more associated control plans, it may be necessary to add more control plans or strengthen existing plans to further reduce residual risk to an acceptable level in certain areas.
The completed control matrix and annotated flowchart will help to facilitate the evaluation through:
Control effectiveness- this deals with making sure that all of the control goals are actually achieved.
Control efficiency- deals with using the control plans to address multiple organizational goals (instead of having multiple controls for multiple goals, it is better to use the controls to their full potential and solve as many goals as possible)
Control redundancy- deals with the opposite side of control efficiency, this is when too many controls are directed at the same goal.
----
Generic Control Plans:
Input Plans (Manual Input):
Input plans are one of the most important types of controls because data is most error prone when it is being entered into the system
Document Design: Source document is designed to easily complete and enter data. Information is documented in the same order it is inputted. If Document Design is the first current control, place a P-1 next to its name in the control matrix and annalyze the controls in which it accomplishes. Do this for all the current controls and then evaluate what controls are missing.
Written Approvals: Signature or initials indicating approval of event processing. Electronic approvals provide for a more automated process.
Preformatted Screens: Defines acceptable format for each data field. Examples include a field having a drop-down list of choices for the user, automatically populating certain fields such as with the correct tax rate to use, or requiring certain fields to be populated before moving on so that the user cannot omit mandatory fields. Also, automatically moves cursor to the next field.
Online Prompting: Request user input or asks questions. Forces user to stop and check accuracy of data before moving on to reduce errors.
Populate Input Screens with Master Data:
User enters an entity's ID code ans then the system retrieves data about that entity form the master data file.
User most likely prompted to enter Customer ID.
By accessing the master data file, the system automatically provides data unique for each customer.
Reduces the number of keystrokes required, making data entry quicker, more accurate, and more efficient.
The system automatically populates input fields with existing data.
Compare Input Data with Master Data:
The system compares inputs with existing master data to ensure the data's accuracy and validity.
Input/master data dependency checks: Tests whether the contents of two or more data elements of fields have a correct logical relationship.
Input/master data validity and accuracy checks: Test whether master data supports the validity and accuracy of the input.
Procedures for Rejected Inputs: After processing the input, the user compares the input with the master data file to determine whether the input either is acceptable or contains errors, and that any errors are corrected.
Programmed Edit Checks:
Automatically performed by data entry programs upon entry of any data. Types are:
Reasonableness checks (Limit checks): Tests inputs for values within predetermined limits. An example of this would be if someone ordered 1,000 books over the phone from Amazon.com. That is not the "usual" amount that someone would order; more than likely, a screen will pop up to ensure that this number is reasonable and not accidentally entered in.
Document/record hash totals: Compares computer total to manually calculated totals.
Check digit verification: A functionally dependent extra digit is added to a data entry, which allows the system to recognize data entry errors. The extra number is composed by performing a calculation (according to a known formula) on other numbers in the code.
Confirm Input Acceptance: Interactive programmed features the inform the user that the data input has been accepted and recorded or rejected for processing.
Automated Data Entry: Stores accurate, valid input in digital media without the use of a user.
Enter Data Close to the Originating Source: Helps recognize mistakes in a timely and efficient manner, as well as allowing for no transcription or transportation of source documents.
Digital Signature: Validates the identity of the user.
CONTROL PLANS FOR DATA ENTRY WITH BATCHES
Uses batch totals as a major controls
Produces andexception and summary report at the end of major processig steps
In order for Batch control plans to be effective, they should ensure that:
ALL documents are batched
ALL batches are submitted for processing
ALL batches are accepted by the computer
ALL differences disclosed by reconciliations are investigated and corrected on a timely basis
Must start by grouping event data and then calculating a control total for the group; several types of batch control totals can be calculated:
Document/record counts – minimum level required to control input completeness
Not sufficient if more than one event description can appear on a document
Not effective for ensuring input validity and says nothing about input accuracy
Item or line counts – improves input validity, completeness, and accuracy
Dollar totals – reduces possibility that entire documents could be added to or lost from batch or that dollar amounts were incorrectly input, improves validity, completeness, and accuracy
Hash totals – serve no purpose other than control. Can be powerful because can determine whether inputs have been altered, added, or deleted
Input Plans (Batch Input):
Turnaround Documents: (i.e. remittance advice) used to capture and input a subsequent event.
Manually Reconcile Batch Totals
Agree Run-to-run Totals (Reconcile input and output batch totals)
Review Tickler File (File of pending shipments)
One for One Checking (Compare picking tickets and packing slips): detailed comparison of the individual elements of two or more data sources to determine that they agree.
Key Verification: Takes place when input documents are keyed by one individual and then re-keyed by a second individual.
Sequence Check: can apply when documents are numbered sequentially to determine that all documents have been processed (completeness) and no extra documents have been processed (validity).
Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are operating as expected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.The Control Matrix (definition):
A tool designed to assist you in evaluating the potential effectiveness of controls in a particular business process by matching control goals with relevant control plans. It establishes the criteria to be used in evaluating the controls in a particular business process. The tool is also used to explain and analyze controls that have been annotated in a systems flowchart. SOX 404 requires that the effectiveness of control design be assessed. Auditors typically use a control matrix to do this.Steps in Preparing the Control Matrix:
Step1: Specify Control Goal:
The three goals that controls are intended to achieve are effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. When completing a control matrix, the first two goals are specifically stated at the top of the matrix, and the third goal, compliance with applicable laws and regulations, is addressed within these two. For example, in the billing process, the goal of complying with the Robinson-Patman Act is addressed under the heading 'ensure effectiveness of operations.'
- Identify operations process control goals:
- Effectiveness goals: describe measures of success for the operations process. These are developed during an enterprise's risk-management process. There may be more than one goal. (Has the organization been successful in achieving the goals defined in their operations process?)
- Efficiency goals: ensuring that resources used in the business process are being employed (by people and computers) in the most productive manner. (Has the organization spent a minimal amount of time and money accomplishing objectives without sacrificing the overall quality?)
- Security goals: protecting entity resources (such as cash and information) from loss, destruction, disclosure, copying, sale, or other misuse. These are meant to manage risks identified in the enterprise risk-management process. (How effectively has the organization managed risks in order to ensure the protection of resources?); Relates to securing the resources that are "at-risk" in the process.
- Identify information process goals:
*** Input goals (validity, completeness, and accuracy) with respect to all business process data entering the system.
- Input completeness: capturing all data
- Input validity: legitimacy of data
- Input accuracy: capturing data correctly
- Input goals question: Where is our information coming from?
- Update goals (completeness and accuracy), only apply when there is a periodic process - a delay between input and update.
- Update completeness: incorporate all new data into existing master data
- Update accuracy: data reflected correctly in master data
- Update goals question: What are we updating?
Step2: Identifying Recommend Control Plans:- Identify "Present" Control Plans (by examining the flowchart for process related symbols which represent controls already in place): What kind and how many controls should be in place to accomplish the organization's goals while minimizing residual risks? Identify controls that appear to accomplish one or more of the control goals. Controls fall into two categories
- generic controls
- controls that relate to a specific business process
- Evaluating "Present" Control Plans: Starting with P-1, look across the row and determine which control goals the plan addresses, and then place a P-1 in each cell of the matrix for which P-1 is applicable. It is possible that a given control plan can attend to more than one control goal. Continue this procedure for each of the present control plans. Describe how the control plan addresses each noted control goal.
- Identifying and Evaluating "Missing Control Plans: Determine whether additional controls are needed to address missing control goal areas, strengthen present control plans, or both.
- Examining the controls matrix: The first place to start is to look at the control matrix and see if there are any control goals (operations or information) that no present control plan is addressing. Even if a control goal has one or more controls, we still might have to add controls or strengthen present controls to reach our level of reasonable assurance.
- Evaluating the systems flowchart: Just because all of the control goals on the matrix have one or more associated control plans, it may be necessary to add more control plans or strengthen existing plans to further reduce residual risk to an acceptable level in certain areas.
The completed control matrix and annotated flowchart will help to facilitate the evaluation through:----
Generic Control Plans:
Automated Control Solutions: